Merge branch 'main' into feat/kerberoast-no-preauth

Author: mpgn

nxc/cli.py

@@ -25,7 +25,6 @@ def gen_cli_args():
         COMMIT = ""
         DISTANCE = ""
     CODENAME = "SmoothOperator"
-    nxc_logger.debug(f"NXC VERSION: {VERSION} - {CODENAME} - {COMMIT} - {DISTANCE}")
 
     generic_parser = argparse.ArgumentParser(add_help=False, formatter_class=DisplayDefaultsNotNone)
     generic_group = generic_parser.add_argument_group("Generic", "Generic options for nxc across protocols")
@@ -133,7 +132,7 @@ def gen_cli_args():
     if hasattr(args, "get_output_tries"):
         args.get_output_tries = args.get_output_tries * 10
 
-    return args
+    return args, [CODENAME, VERSION, COMMIT, DISTANCE]
 
 
 def get_module_names():

nxc/config.py

@@ -1,7 +1,6 @@
-import os
 from os.path import join as path_join
 import configparser
-from nxc.paths import NXC_PATH, DATA_PATH
+from nxc.paths import DATA_PATH, CONFIG_PATH
 from nxc.first_run import first_run_setup
 from nxc.logger import nxc_logger
 from ast import literal_eval
@@ -10,25 +9,25 @@
 nxc_default_config.read(path_join(DATA_PATH, "nxc.conf"))
 
 nxc_config = configparser.ConfigParser()
-nxc_config.read(os.path.join(NXC_PATH, "nxc.conf"))
+nxc_config.read(CONFIG_PATH)
 
 if "nxc" not in nxc_config.sections():
     first_run_setup()
-    nxc_config.read(os.path.join(NXC_PATH, "nxc.conf"))
+    nxc_config.read(CONFIG_PATH)
 
 # Check if there are any missing options in the config file
 for section in nxc_default_config.sections():
     if not nxc_config.has_section(section):
         nxc_logger.display(f"Adding missing section '{section}' to nxc.conf")
         nxc_config.add_section(section)
-        with open(path_join(NXC_PATH, "nxc.conf"), "w") as config_file:
+        with open(CONFIG_PATH, "w") as config_file:
             nxc_config.write(config_file)
     for option in nxc_default_config.options(section):
         if not nxc_config.has_option(section, option):
             nxc_logger.display(f"Adding missing option '{option}' in config section '{section}' to nxc.conf")
             nxc_config.set(section, option, nxc_default_config.get(section, option))
 
-            with open(path_join(NXC_PATH, "nxc.conf"), "w") as config_file:
+            with open(CONFIG_PATH, "w") as config_file:
                 nxc_config.write(config_file)
 
 # THESE OPTIONS HAVE TO EXIST IN THE DEFAULT CONFIG FILE

nxc/context.py

@@ -1,17 +1,19 @@
 import configparser
 import os
 
+from nxc.paths import NXC_PATH, CONFIG_PATH
+
 
 class Context:
     def __init__(self, db, logger, args):
         for key, value in vars(args).items():
             setattr(self, key, value)
 
         self.db = db
-        self.log_folder_path = os.path.join(os.path.expanduser("~/.nxc"), "logs")
+        self.log_folder_path = os.path.join(NXC_PATH, "logs")
         self.localip = None
 
         self.conf = configparser.ConfigParser()
-        self.conf.read(os.path.expanduser("~/.nxc/nxc.conf"))
+        self.conf.read(CONFIG_PATH)
 
         self.log = logger

nxc/first_run.py

@@ -8,18 +8,16 @@
 
 
 def first_run_setup(logger=nxc_logger):
-    if not exists(TMP_PATH):
-        mkdir(TMP_PATH)
-
     if not exists(NXC_PATH):
         logger.display("First time use detected")
         logger.display("Creating home directory structure")
         mkdir(NXC_PATH)
+    if not exists(TMP_PATH):
+        mkdir(TMP_PATH)
 
     folders = (
         "logs",
         "modules",
-        "protocols",
         "workspaces",
         "obfuscated_scripts",
         "screenshots",
@@ -46,7 +44,3 @@ def first_run_setup(logger=nxc_logger):
         logger.display("Copying default configuration file")
         default_path = path_join(DATA_PATH, "nxc.conf")
         shutil.copy(default_path, NXC_PATH)
-
-    # if not exists(CERT_PATH):
-    #         if os.name != 'nt':
-    #         if e.errno == errno.ENOENT:

nxc/helpers/logger.py

@@ -1,9 +1,10 @@
 import os
 from termcolor import colored
+from nxc.paths import NXC_PATH
 
 
 def write_log(data, log_name):
-    logs_dir = os.path.join(os.path.expanduser("~/.nxc"), "logs")
+    logs_dir = os.path.join(NXC_PATH, "logs")
     with open(os.path.join(logs_dir, log_name), "w") as log_output:
         log_output.write(data)
 

nxc/loaders/protocolloader.py

@@ -2,14 +2,12 @@
 from importlib.machinery import SourceFileLoader
 from os import listdir
 from os.path import join as path_join
-from os.path import dirname, exists, expanduser
+from os.path import dirname, exists
+
 import nxc
 
 
 class ProtocolLoader:
-    def __init__(self):
-        self.nxc_path = expanduser("~/.nxc")
-
     def load_protocol(self, protocol_path):
         loader = SourceFileLoader("protocol", protocol_path)
         protocol = ModuleType(loader.name)
@@ -18,27 +16,22 @@ def load_protocol(self, protocol_path):
 
     def get_protocols(self):
         protocols = {}
-        protocol_paths = [
-            path_join(dirname(nxc.__file__), "protocols"),
-            path_join(self.nxc_path, "protocols"),
-        ]
-
-        for path in protocol_paths:
-            for protocol in listdir(path):
-                if protocol[-3:] == ".py" and protocol[:-3] != "__init__":
-                    protocol_path = path_join(path, protocol)
-                    protocol_name = protocol[:-3]
-
-                    protocols[protocol_name] = {"path": protocol_path}
-
-                    db_file_path = path_join(path, protocol_name, "database.py")
-                    db_nav_path = path_join(path, protocol_name, "db_navigator.py")
-                    protocol_args_path = path_join(path, protocol_name, "proto_args.py")
-                    if exists(db_file_path):
-                        protocols[protocol_name]["dbpath"] = db_file_path
-                    if exists(db_nav_path):
-                        protocols[protocol_name]["nvpath"] = db_nav_path
-                    if exists(protocol_args_path):
-                        protocols[protocol_name]["argspath"] = protocol_args_path
 
+        proto_path = path_join(dirname(nxc.__file__), "protocols")
+        for protocol in listdir(proto_path):
+            if protocol[-3:] == ".py" and protocol[:-3] != "__init__":
+                protocol_path = path_join(proto_path, protocol)
+                protocol_name = protocol[:-3]
+
+                protocols[protocol_name] = {"path": protocol_path}
+
+                db_file_path = path_join(proto_path, protocol_name, "database.py")
+                db_nav_path = path_join(proto_path, protocol_name, "db_navigator.py")
+                protocol_args_path = path_join(proto_path, protocol_name, "proto_args.py")
+                if exists(db_file_path):
+                    protocols[protocol_name]["dbpath"] = db_file_path
+                if exists(db_nav_path):
+                    protocols[protocol_name]["nvpath"] = db_nav_path
+                if exists(protocol_args_path):
+                    protocols[protocol_name]["argspath"] = protocol_args_path
         return protocols

nxc/modules/aws-credentials.py

@@ -0,0 +1,48 @@
+class NXCModule:
+    """
+    Search for aws credentials files on linux and windows machines
+
+    Module by Fortress
+    """
+
+    name = "aws-credentials"
+    description = "Search for aws credentials files."
+    supported_protocols = ["ssh", "smb", "winrm"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self):
+        self.search_path_linux = "'/home/' '/tmp/'"
+        self.search_path_win = "'C:\\Users\\', 'C:\\ProgramData\\AWSCLI\\', 'C:\\Temp\\'"
+
+    def options(self, context, module_options):
+        r"""
+        SEARCH_PATH_LINUX	Linux location where to search for aws credentials related files
+                                Default: "'/home/' '/tmp/'"
+
+        SEARCH_PATH_WIN		Windows locations where to search for aws credentials related files
+                                Default: "'C:\\Users\\', 'C:\\ProgramData\\AWSCLI\\', 'C:\\Temp\\'"
+        """
+        if "SEARCH_PATH_LINUX" in module_options:
+            self.search_path_linux = module_options["SEARCH_PATH_LINUX"]
+
+        if "SEARCH_PATH_WIN" in module_options:
+            self.search_path_win = module_options["SEARCH_PATH_WIN"]
+
+    def on_login(self, context, connection):
+        # search for aws_credentials-related files on linux systems
+        if "ssh" in context.protocol:
+            search_aws_creds_files_payload = f"find {self.search_path_linux} -type f  -name credentials -exec grep -l 'aws_' {{}} \\; 2>&1 | grep -v 'Permission denied$'"
+            search_aws_creds_files_cmd = f'/bin/bash -c "{search_aws_creds_files_payload}"'
+            output = connection.execute(search_aws_creds_files_cmd)
+        else:
+            # search for aws_credentials-related files on windows systems
+            # we have to exclude "Application Data" as this creates an infinite recursion, see: https://www.reddit.com/r/PowerShell/comments/17pctnv/symbolic_link_application_data_in_appdatalocal/
+            search_aws_creds_files_payload_win = f"Get-ChildItem -Path {self.search_path_win} -Recurse -Force -Include 'credentials' -ErrorAction SilentlyContinue | Where-Object {{ Select-String -Path $_.FullName -Pattern 'aws' -Quiet }} | Select-Object -ExpandProperty FullName"
+            search_aws_creds_files_cmd_win = f'powershell.exe "{search_aws_creds_files_payload_win}"'
+            output = connection.execute(search_aws_creds_files_cmd_win, True)
+
+        if output:
+            context.log.success("The following files were found:")
+            for line in output.splitlines():
+                context.log.highlight(line.rstrip())

nxc/modules/backup_operator.py

@@ -6,7 +6,6 @@
 from impacket.smbconnection import SessionError
 from impacket.dcerpc.v5 import transport, rrp
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE
-
 from nxc.paths import NXC_PATH
 
 

nxc/modules/badsuccessor.py

@@ -187,7 +187,7 @@ def on_login(self, context, connection):
         for dc in parsed_resp:
             if "2025" in dc["operatingSystem"]:
                 out = connection.resolver(dc["dNSHostName"])
-                dc_ip = out[0] if out else "Unknown IP"
+                dc_ip = out["host"] if out else "Unknown IP"
                 context.log.success(f"Found domain controller with operating system Windows Server 2025: {dc_ip} ({dc['dNSHostName']})")
             else:
                 context.log.fail("No domain controller with operating system Windows Server 2025 found, attack not possible. Enumerate dMSA objects anyway.")

nxc/modules/change-password.py

@@ -34,7 +34,6 @@ def options(self, context, module_options):
             netexec smb <DC_IP> -u username -p password -M change-password -o USER='target_user' NEWPASS='target_user_newpass'
             netexec smb <DC_IP> -u username -p password -M change-password -o USER='target_user' NEWNTHASH='target_user_newnthash'
         """
-        self.context = context
         self.newpass = module_options.get("NEWPASS")
         self.newhash = module_options.get("NEWNTHASH")
         self.target_user = module_options.get("USER")
@@ -78,6 +77,7 @@ def authenticate(self, context, connection, protocol, anonymous=False):
             raise
 
     def on_login(self, context, connection):
+        self.context = context
         target_username = self.target_user or connection.username
         target_domain = connection.domain